Canadian police last week raided the residence of a Toronto software developer behind âOrcus RAT,â a product thatâs been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.
As first detailed by KrebsOnSecurity in July 2016, Orcus is the brainchild of John âArmadaâ Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.
In an âofficial press releaseâ posted to pastebin.com on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).
âIn this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,â Rezvesz wrote. âData inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.â
Reached via email, Rezvesz declined to say whether he was arrested in connection with the search warrant, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said âwe can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.â
The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of âa series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their usersâ consent and can lead to the subsequent installation of other malware and theft of personal information.â
âThe CRTC executed a warrant under Canadaâs Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,â reads a statement published last week by the Canadian government. âTips from international private cyber security firms triggered the investigation.â
Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. Heâs also said heâs not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.
Yet the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.
âIt can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,â wrote researchers at security firm Fortinet in a Dec. 2017 analysis of the RAT. âThis makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.â
As KrebsOnSecurity noted in 2016, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof âdynamic DNS serviceâ that promised not to keep any records of customer activity. Continue reading →










One interesting patch from Microsoft this week comes in response to a 
















